COVID-19 constraints delay needed CMMC rule change

Social distancing requirements are complicating the Defense Department's implementation of its unified cybersecurity standard.

Katie Arrington, DOD's chief information security officer for acquisition, said that while the coronavirus pandemic hasn't affected training preparations, social distancing efforts have delayed the public hearing needed for the Defense Federal Acquisition Regulation Supplement (DFARS) rule change needed to enforce new cybersecurity standards for contractors.

"The premise of doing all of this is that we're going through a DFARS rule change," which requires a public hearing, Arrington said May 8 during a Billington Cybersecurity event on the Cybersecurity Maturity Model Certification (CMMC) program.

"We need to do a public hearing on the DFARS rule change. As we're reopening the government, we're learning how that will happen. So that is something that is impacting the rule change -- but not that training and the accreditations, not the rolling out of the [requests for information]."

Arrington said the public hearing should be happening "right now, but we just don't have the capability to do that yet."

Corbin Evans, principal director for strategic programs at the National Defense Industrial Association, told FCW via email the public hearing was key for industry preparing for CMMC.

"While we want the CMMC program to continue to move forward, we recognize the importance of getting the policies right and we appreciate the DOD's recognition that a public meeting is a vital part of that process," Evans said.

The pandemic, however, hasn't affected the CMMC accrediting body's mission to develop training materials for assessors that will certify contractors.

Ty Schieber, the body's board chair, said May 8 the organization is considering all options when it comes to online training to adhere to social distancing measures.

"The issue of online training hasn't been determined," he said, adding that "there's a significant pivot in terms of adopting either in total or as part of a hybrid solution."

For CMMC, Schieber said the accrediting body is working with DOD to develop the training materials to meet the schedules.

"It's an iterative process. We go through our beta training, we have a pathfinder process where we will work with DOD [subject matter experts] and some of their industry contractors and go through a mock process to wring it out," he said, "and then migrate into a provisional delivery model over the course of the next several months."

Schieber said the accrediting body would deliver provisional training for assessors in July with long-term training for CMMC starting this fall or early 2021 calendar year.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.